CVE-2025-2786
📋 TL;DR
This vulnerability in Tempo Operator allows users with full namespace access to extract ServiceAccount tokens and use them to query Kubernetes API permissions via TokenReview and SubjectAccessReview requests. This exposes information about other users' permissions, potentially aiding reconnaissance for further attacks. Affected users are those running vulnerable Tempo Operator versions with namespace-level access.
💻 Affected Systems
- Tempo Operator
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could map all RBAC permissions in the cluster, identifying high-privilege accounts and service relationships to plan targeted attacks.
Likely Case
Internal users with namespace access gather information about other users' permissions, potentially identifying misconfigurations or privileged accounts.
If Mitigated
With proper network policies and RBAC restrictions, impact is limited to information disclosure within controlled boundaries.
🎯 Exploit Status
Exploitation requires authenticated access to the namespace and knowledge of Kubernetes API calls.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions referenced in Red Hat advisories RHSA-2025:3607 and RHSA-2025:3740
Vendor Advisory: https://access.redhat.com/security/cve/CVE-2025-2786
Restart Required: Yes
Instructions:
1. Update Tempo Operator to patched version. 2. Apply Red Hat security updates. 3. Restart Tempo Operator pods. 4. Verify ServiceAccount permissions are properly restricted.
🔧 Temporary Workarounds
Restrict ServiceAccount Token Access
linuxApply RBAC policies to limit who can access ServiceAccount tokens in vulnerable namespaces.
kubectl create clusterrole restricted-sa-access --verb=get,list --resource=serviceaccounts/tokens
kubectl create clusterrolebinding restrict-sa-binding --clusterrole=restricted-sa-access --user=system:authenticated
🧯 If You Can't Patch
- Implement network policies to restrict access to Kubernetes API server from vulnerable namespaces.
- Apply strict RBAC controls to limit ServiceAccount token access and monitor for suspicious TokenReview requests.
🔍 How to Verify
Check if Vulnerable:
Check Tempo Operator version and verify if ServiceAccount tokens can be used for TokenReview requests from within the namespace.Check Version:
kubectl get pods -n tempo-operator-system -o jsonpath='{.items[*].spec.containers[*].image}' | grep tempo-operatorVerify Fix Applied:
After patching, attempt to use extracted ServiceAccount token for TokenReview requests - should fail or return limited information.📡 Detection & Monitoring
Log Indicators:
- Unusual TokenReview or SubjectAccessReview requests from ServiceAccount tokens
- Multiple permission queries from single token
Network Indicators:
- High volume of Kubernetes API permission queries from namespace IPs
SIEM Query:
source="kubernetes-audit" AND verb="create" AND (objectRef.resource="tokenreviews" OR objectRef.resource="subjectaccessreviews") | stats count by user, namespace